In the FREESCO support forums (http://forums.freesco.org) new patches are announced. This is also where you find instructions on how to download and install them. By installing these patches, you ensure your box is as good (and safe!) as it gets. Hence, be sure to check out the currently available patches for your FREESCO version!

Ftp is insecure as both user id and password is sent as uncryptated text. This means that with a sniffer it is pretty easy to get access to a certain account. While it might be acceptable to take this risk for a normal user, it is unacceptable for root. Hence I have disabled ftp access for root on my box. This is done by modifying the startup script for the ftp-server (/rc/rc_ftpd). The original startup line looks like this:

With PureFTP you can specify the lowest uid that is allowed to use ftp. Root has uid 0 so we should only allow users with a uid of 1 or higher. To use this configuration, just add a -u 1 to the startup line and restart the server with rc_ftpd restart. Try to log in as root (or any other user with uid 0), if everything went ok, you should not be able to log in.

By default, most Linux system have a root user with full access to the whole system. For a hacker, it is enought to try to figure out the password for this user in order to get access to the system. To make it harder for the hackers one might add a new user with the same privilages as root, and then delete/disable the root user. Now the hacker must guess the userid of the root user as well as the password. Here are instructions for disabling the root user on your FREESCO.

Log in as root and create a new normal user with useradd <newrootname>

Open the password file (/etc/passwd) and change the privileges of the new user from 500:100 to 0:0. Also change the home directory of the user to /

Only if you installed the opensshd-package and use AllowUsers in /pkg/etc/sshd_config: Add the new user in the AllowUsers statement. Do NOT remove the root user from this section yet! If you do, and anything goes wrong, you might be locked out from your box! Then restart sshd with rc_opensshd restart

Log in as the new user and edit the password file again. Now change the shell for the root user from /bin/sh to /bin/false. This should make it impossible for the root to login.

Try to log in as root. If everything is correct, you should not be able to log in. Log in with your new user and copy the password file from /etc/passwd to /boot/etc/ to make the changes permanent.

Only if you installed the opensshd-package and use AllowUsers in /pkg/etc/sshd_config: Now it is safe to remove root from the AllowUsers section. Remember to restart sshd.

If you use ile, you will notice that it doesn't work with your new user. To fix this, edit /etc/profile. Look for the line that says

[ ${BIGMEM:-y}$LOGNAME = yroot ] && exec ile

Either replace the word yroot with the name of your new root user (including a leading y) or just remove everything exept the y. The later approach will make ile availabe for all users, while the first approach limits ile to the new root user.

[ ${BIGMEM:-y}$LOGNAME = ynewrootname ] && exec ile

or

[ ${BIGMEM:-y}$LOGNAME = y ] && exec ile

Log out and back in again to verify ile works as it should.

Copy /etc/profile to /boot/etc/ to make it survive a reboot

This approach was suggested by Thasaidon in this thread, and the ile fix was provided by Lightning here.

The perfect way to administrate your box remote! Latest version on my box is 3.7.1p1 by Dingetje. See this thread. After installation, remeber to

edit /pkg/rc/rc_opensshd and comment out

ipfwadm -I -a deny -P tcp -W $INET -D 0.0.0.0/0 $PORT -y -o

by putting a # at the beginning of the line. This is a firewall rule which denies ssh connections from Internet. By commenting it out, you will be able to connect to your FREESCO from another machine on the Internet.

At the prompt, type rc_masq restart. This will restart the firewall and remove the above rule.

If you want to restrict which users that can ssh to your box, edit /pkg/etc/sshd_config and add a AllowUsers section with the user names that should be able to log on. AllowUsers and DenyUsers can combined and DenyUsers have precedence. After doing this, you need to restart ssh by typing rc_opensshd restart

This section describes how to modify you PATH environment variable. This is useful when you want to have easy access to scripts and binaries not located in the “standard” directories. One example of this is when you write your own scripts and put them in one of your own directories. When running such a script, you have to type

/the/whole/path/to/the/script

in order to run in. Another example is if you install a package such as mySQL which comes with a bin directory full of accessories. To access this stuff, you have to remember and type the correct path, ie

/usr/local/mySQL/bin/mysqladmin

By adding the directories to your PATH, you don't have to give the full path when running the script/binary. Instead of typing the above, you can simply type

mysqladmin

at the prompt.

For now, suppose you have your own scripts stored in /mnt/disk2/binaries and you want to include that directory in the path. Also suppose you have mySQL installed and that you want to add the bin directory (/usr/local/mySQL/bin) to the path as well.

The PATH variable is set in the profile file, located in /etc/, so in order to modify the variable, we must edit that file. The first thing to do is to create new environment variables for the directories you want to add to your path. Environment variables are created with the scructure

VARIABLE_NAME=variable_value

There should be no space between the equal sign and the variable name or the variable value. To declare the necessary variables, just add the following at beginning of the file (just after the #!/bin/sh line):

MYBIN=/mnt/disk2/binaries
MYSQL=/usr/local/mySQL/bin

A bit down in the file there is a line starting with

export TTY="`tty`" TERM=linux PS1 PATH=/boot/bin:...

Move the cursor to this line and place it just after the equal sign after the “PATH” word. Here you insert the values of your environment variables. To get the value out of the variables, you must add the $ sign just before the variable. After the variable, add a colon. Note: no spaces should be added! This means that after editing the line, it should look like this:

export TTY="`tty`" TERM=linux PS1 PATH=$MYBIN:$MYSQL:/boot/bin:...

Save your work and re-login. If you done it all correctly, you should be able to access your scripts without typing the whole path as well as accessing the mySQL binaries just like this:

[Linux] mysqladmin

The final step is to make your profile survive a reboot. Right now it is only stored in /etc/ which is RAM, so it will be rewritten in next reboot. To make your profile permanent, just copy it to /boot/etc/.

This is a cool package, keeping track of your uptime history. You call a PHP script which can create images like this: Uptime. Just follow these instructions.

After installation, run crontab and insert the following line:

* * * * * /usr/local/upla/upla_track 1>/dev/null 2>/dev/null

This will make UpLa calculate your uptime every minute. You can start, stop and restart the package with /pkg/rc/rc_upla. When calling you PHP script, you can modify the layout of the generated image with the arguments chart, key, font and time in the URL. For example, this